Hi everyone,

I am starting to play with VoIP and I have a couple questions for you guys:

1) How can I set up a lab? Is there some LiveCD or VM image I can use? I know installing everything myself is the best way, but I have limited time now and I always like to learn slowly...

2) What tools (free/$$$) do you use for vulnerability assessment? And for exploitation?

When looking at this site, it is easy to get confused... http://voipsa.org/Resources/tools.php

I am asking because I *may* have to audit a network with VoIP soon. Although I will not be the prime consultant for pentesting the VoIP component this network, I really need to know more about this technology...

Thanks guys

Pentesting VoIP is no different from pentsting say an e-mail server. In a VoIP based PBX there are accounts similar to an email server:

VOIP
Username
Password
Registrar

EMAIL
Username
Password
Domain

Your best bet would be to run the typical scans (nmap, etc) along with sipvicious to test for weak usernames and passwords. NMAP will tell you what is visible in similar fashion to any server: "This port is open" what is it doing, what is it running, are there any known vulnerabilties against that version. sipvicious is similar to say hydra and NMAP. Give a target and a list of usernames or passwords and it will try to register an account on the machine.

The key to it all is ingenuity. In a VoIP environment, too many admins have the tendency to make extensions usernames. For example:

VOIP
Username 1001
Password 1001
Registrar this.is-my-pbx.net

There is no reason other than lack of understanding risk to configure accounts like this.  Its akin to an email admin creating the following

EMAIL
Username John
Password John
Registrar corp-mail.server-here.com

So your goal would be recon in similar fashion to figuring out what a username is for email, only in this instance, it is VoIP. I would start with extensions as a username, e.g., 1000-1999 and so on. Here is a live example of someone on one of my Asterisk honeypots with numbers adding to the beginning:



Line 1 shows their external IP address. When this phone registers, I can see their internal IP space in Asterisk. Verbose logging will show me the registered device's egress, in this case from a Romanian attacker.

Line 2 states back and forth from client to server (PBX) that the number called is going through the ringing stage

Line 3 shows the detailed information about the call and who is connected to it

Line 4 shows the extension (USERNAME) making the call

Line 5 shows what number the user is trying to call.

In this example, an attacker from Romania (1) tried calling 00263912792068 (5) using the extension (username) 3097 on my honeypot xxx.xxx.xxx.195 The log entry shows how extensions / usernames are done in many PBXs. Therefore, recon may be able to tell you what extension ranges are visible. Google the company name + mailing lists. See if you can get a signature from someone:

John Doe
Pentest My Company
VP Operations
212 555 2000 ext 3097

The 3097 is the range I would test first with sipvicious, e.g. ranges 3000-3200 and go longer if I see extensions hit say 3198. As for the setup, depends on what type of PBX they're using. Cisco Call Manager, Avaya, PBXNSIP, SnomOne, etc., they all differ however, they WILL NOT differ in terms of registrations. Registrations meaning usernames, passwords, registrar.

Good explanation Sil.

I saw three time VoIP attack and in the three times they were sucessfull. The conclusion was: outupdated system and low password